From e13d18969f7f26b2c7b8ed299e57ecee0e831f9a Mon Sep 17 00:00:00 2001
From: Drew Jaynes <info@drewapicture.com>
Date: Thu, 17 Sep 2015 09:39:24 +0000
Subject: [PATCH] Docs: Add a reminder to the DocBlock description for
 `add_query_arg()` mentioning that the output is not escaped by default.

Props brentvr for the initial patch. (first props!)
See #33912. See #32246.

Built from https://develop.svn.wordpress.org/trunk@34264


git-svn-id: http://core.svn.wordpress.org/trunk@34228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/functions.php | 4 ++++
 wp-includes/version.php   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index bad987c9f1..342dd0e157 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -680,6 +680,10 @@ function _http_build_query( $data, $prefix = null, $sep = null, $key = '', $urle
  * value. Additional values provided are expected to be encoded appropriately
  * with urlencode() or rawurlencode().
  *
+ * Important: The return value of add_query_arg() is not escaped by default.
+ * Output should be late-escaped with esc_url() or similar to help prevent
+ * vulnerability to cross-site scripting (XSS) attacks.
+ *
  * @since 1.5.0
  *
  * @param string|array $param1 Either newkey or an associative_array.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 83cf61b566..77dc1732ae 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.4-alpha-34263';
+$wp_version = '4.4-alpha-34264';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.